Cloud Security

From Infrastructure to People-ware

Tzar Umang

What is cloud?involves computing over a network, where a program or application may run on many connected computers at the same time. It specifically refers to a computing hardware machine or group of computing hardware machines commonly referred as a server connected through a communication network such as the Internet, an intranet, a local area network (LAN) or wide area network (WAN)

-Wikipedia

The Cloud Pyramid

Infrastructure as a Service

Platform as a Service

Software as a Service

Business Process as a Service

IBM Xforce Report2012 Sampling of Security Incidents by Attack Type, Time and Impact

Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses

Coverage20,000+ devices

under contract

3,700+ managed clients worldwide

13B+ events managed per day

133 monitored countries (MSS)

1,000+ security related patents

Depth14B analyzed web pages & images

40M spam & phishing attacks

64K documented vulnerabilities

Billions of intrusion attempts daily

Millions of unique malware samples

Security Challenges• Virtual and Infrastructure

o NCloud Mappingo Co-residenceo Side Channeling

• Data Management Issueso Data Integrityo Data Provenanceo Data Remanenceo Data Availability

• Users / People-wareo Identityo Policy Development

ApplicationsWeb

ApplicationsSystems

Applications

Web 2.0Mobile

Applications

InfrastructureDatacenters PCs Laptops Mobile Cloud Non-traditional

Data At rest In motionUnstructuredStructured

PeopleHackers Suppliers

Consultants Terrorists

Employees Outsourcers

Customers

Employees

Unstructured

Web 2.0Systems

Applications

Outsourcers

Structured In motion

Customers

Mobile Application

s

4 Dimensions of Security Challenge

Infrastructure• Typical Datacenter

Virtualization

Typical Architecture Virtual Architecture

Virtual Machine Security Challenge

• Cloud MappingA plot of the internal IP addresses assigned to instances launched during the initial mapping experiment using Account A A plot of the internal IP address of instances launched in Zone 3 by Account A, and 39 hours later, by Account B. 55 of the Account B IPs were repeats of those assigned to instances for Account A

Cloud Mapping Mitigation• Mapping:

o Use a randomized scheme to allocate IP addresseso Block some scanning tools/activities (nmap,traceroute)

• Co-residence checks:o Prevent identification of dom0/hypervisor

Virtual Machine Security Challenge

• Co-residence# of

victims v# of

probes pcoverage

Zone 11 20 1/1

10 20 5/10

20 20 7/20

Zone 21 20 0/1

10 18 3/10

20 19 8/20

Zone 31 20 1/1

10 20 2/10

20 20 8/20

Results of launching p probes 5 minutes after the launch of v victims. The rightmost column specifies success coverage: the number of victims for which a probe instance was co-resident over the total number of victims.

TrialAccount

TotalA B

Midday 2/5 2/5 4/10

Afternoon 1/5 3/5 4/10

Night 2/5 2/5 4/10

The number of victims for which a probe achieved co-residence for three separate runs of 10 repetitions of launching 1 victim instance and, 5 minutes later, 20 probe instances. Odd numbered repetition used Account A; even-numbered repetitions used Account B

What can co-residence do?• Co-Residency affords the ability to:

o Denial of Serviceo Estimate victim's work load

• Cache• Network Traffic

• Extract cryptographic keys via cache-based side channels.

• Other cross-VM attacks

Co – residence Mitigation• Not allow co-residence at all:

o Beneficial for cloud userso Not efficient for cloud providerso N-tier trust model?

• Information leakage:o Prevent cache load attacks?

Virtual Machine Security Challenge

Results of executing 100 Prime+Trigger+Probe cache timing measurements for three pairs of m1.small instances, both when concurrently making HTTP get requests and when not. Instances in Trial 1 and Trial 2 were co-resident on distinct physical machines. Instances in Trial 3 were not co-resident

• Side Channeling

Best Example of Side Channel Attack

Heart bleed

Side Channel Attack Mitigation

• Create better Encryption Technologyo Oblivious

• Work on large chunks• Partition the encryption process into: • A slow but short part: implemented securely

o Non – Colliding

Data Concerns in the Cloud• Data Integrity

o Cloud Service Provider (CSP) Concernso Third Party Auditing (TPA)o Encryption and Multitenancy

• Data Provenance• Data Remanence• Data Availability

o Elasticityo CSP Related Downtimeo Malicious Attacks

Data Integrity• Cloud Service Provider (CSP) Concerns

o CSP Security • Data Transfer• Data-at-Rest

o CSP Data Loss• Unintentional• Intentional

o Third Party Auditing• The Auditor• Support for Dynamic Data

Data Integrity• Encryption & Multitenancy

o Multitenancy – Storage of data from multiple clients in a single repository

o Inability to use encryption in order to support indexingo Encryption largely irrelevant if data is analyzed on the cloud, as

analysis requires decryption.

Data Provenance & Remanence

• Data Provenance – Calculation Accuracyo Shared resources mean shared responsibilityo Difficulty / Impossibility in tracking involved machines

• Data Remanence – Data Cleansing o “Ghost Data” – Left behind after deletiono No remanence security plan for any major CSP

Availability• Cloud Service Provider Concern  Total Downtime (HH:MM:SS)

Availability Per Day Per Month Per Year

99.999% 00:00:00.4 00:00:26 00:05:15

99.99% 00:00:08 00:04:22 00:52:35

99.9% 00:01:26 00:43:49 08:45:56

99% 00:14:23 07:18:17 87:39:29

Availability + Elasticity

• Distributed Denial of Service (DDoS) Uses Port Flooding to Slow Systems or Force Server Resets.o External Attack Modelso Similar to Traditional Strikeso Cloud Usage as Attacker o Internal Attack Modelso Protection Responsibility Lies on the Usero CSP Would Need to Detect

An Example of DDOS Mitigation

• As used on Smarter Philippines Website (smarterph.com)

Detect Get

Request

Detect Packet Activity

as to Size

Detect Activity Pattern

Flag Activities

1. Abnormal Packet Size

2. Abnormal Login Request (Brute

force)3. Abnormal Get

Request

Route Request to 127.0.0.1

Reverse Attacker’s IP

Track Attacker’s IP Routing Scheme

Add Attacker’s IP to Deny host

Solution

Key Themes

Security for Mobile DevicesProvide security for and manage traditional endpoints alongside mobile devices such as Apple iOS, Google Android, Symbian, and Microsoft Windows Phone - using a single platform

Expansion of Security ContentContinued expansion of security configuration and vulnerability content to increase coverage for applications, operating systems, and industry best practices

Security Intelligence IntegrationImproved usage of analytics - providing valuable insights to meet compliance and IT security objectives, as well as further integration with SiteProtector and the QRadar Security Intelligence Platform

Infrastructure Protection – Endpoint Vision

Knowing the User

Policy Development• Challenges

o Define security policies and standardso Measure actual security against policyo Report violations to policyo Correct violations to conform with policyo Summarize policy compliance for the organization

Layers of Information Security - Revisited

Policies• Purpose

Provide a framework for the management of security

across the enterprise

Definitions• Policies

o High level statements that provide guidance to workers who must make present and future decision

• Standardso Requirement statements that provide specific

technical specifications• Guidelines

o Optional but recommended specifications

Security PolicyAccess to

network resource will be granted

through a unique user ID and passwordPasswords

should include one non-alpha and not found in dictionary

Passwords will be 8

characters long

Elements of Policies• Set the tone of Management• Establish roles and responsibility• Define asset classifications• Provide direction for decisions• Establish the scope of authority• Provide a basis for guidelines and procedures• Establish accountability• Describe appropriate use of assets• Establish relationships to legal requirements

Policies Should…Clearly identify and define

the information security goals and the goals of the group, company or

the whole country

Policy Lifecycle

Actions

Cabinet Goals

Policy

Standards Procedures Guidelines

Awareness

IS Goals

Info Security

Ten Step Approach

Collect Background Information• Obtain existing policies

o Creighton's o Others

• Identify what levels of control are needed• Identify who should write the policies

Perform Risk Assessment• Justify the Policies with Risk Assessment

o Identify the critical functionso Identify the critical processeso Identify the critical datao Assess the vulnerabilities

Create a Policy Review Board• The Policy Development Process

o Write the initial “Draft”o Send to the Review Board for Commentso Incorporate Commentso Resolve Issues Face-to-Faceo Submit “Draft” Policy to Cabinet for Approval

Develop Information Security Plan

• Establish goals• Define roles• Define responsibilities• Notify the User community as to the direction• Establish a basis for compliance, risk assessment,

and audit of information security

Develop Security Policies, Standards, and

Guidelines• Policies

o High level statements that provide guidance to workers who must make present and future decision

• Standardso Requirement statements that provide specific

technical specifications• Guidelines

o Optional but recommended specifications

Implement Policies and Standards• Distribute Policies.• Obtain agreement with policies before accessing

Creighton Systems.• Implement controls to meet or enforce policies.

Awareness and Training• Makes users aware of the expected behavior• Teaches users How & When to secure information• Reduces losses & theft• Reduces the need for enforcement• On the Government, they publish it on leading

newspaper

Monitor Compliance• Management is responsible for establishing

controls• Management should REGULARLY review the

status of controls• Enforce “User Contracts” (Code of Conduct)• Establish effective authorization approval• Establish an internal review process• Internal Audit Reviews

Evaluate Policy Effectiveness• Evaluate• Document• Report

Modify PoliciesPolicies must be modified due to:

o New Technologyo New Threatso New or changed goalso Organizational changeso Changes in the Lawo Ineffectiveness of the existing Policy

Policy HierarchyGovernance

Policy

Access ControlPolicy

User ID Policy

AccessControl

AuthenticationStandard

PasswordConstruction

Standard

User IDNaming Standard

StrongPassword

ConstructionGuidelines

SolutionIBM Identity and Access Management Vision

Key Themes

Standardized IAM and Compliance ManagementExpand IAM vertically to provide identity and access intelligence to the business; Integrate horizontally to enforce user access to data, app, and infrastructure

Secure Cloud, Mobile, Social InteractionEnhance context-based access control for cloud, mobile and SaaS access, as well as integration with proofing, validation and authentication solutions

Insider Threat and IAM GovernanceContinue to develop Privileged Identity Management (PIM) capabilities and enhanced Identity and Role management

Solution

Key Themes

Coverage for Mobile applications and new threatsContinue to identify and reduce risk by expanding scanning capabilities to new platforms such as mobile, as well as introducing next generation dynamic analysis scanning and glass box testing

Simplified interface and accelerated ROINew capabilities to improve customer time to value and consumability with out-of-the-box scanning, static analysis templates and ease of use features

Security IntelligenceIntegrationAutomatically adjust threat levels based on knowledge of application vulnerabilities by integrating and analyzing scan results with SiteProtector and the QRadar Security Intelligence Platform

Application Security Vision

Solution

Endpoint Management vulnerabilities enrich

QRadar’s vulnerability database

AppScan Enterprise

AppScan vulnerability results feed QRadar SIEM for improved

asset risk assessment

Tivoli Endpoint Manager

Guardium Identity and Access Management

IBM Security NetworkIntrusion Prevention System

Flow data into QRadar turns NIPS devices into activity

sensors

Identity context for all security domains w/ QRadar as the dashboard

Database assets, rule logic and database activity

information

Correlate new threats based on X-Force IP

reputation feeds

Hundreds of 3rd party information sources

Thank you for listening

Tzar C. UmangPresident

Tzar Enterprises

email: tzarumang@gmail.comfb.com/tzarumang

twitter.com/definitelytzar